CoinGate Data Processing Agreement

Date last updated: June 4, 2020

Natural or legal person who accepted the Terms and Conditions for use of the CoinGate crypto currency payment processing platform (“Data Controller”);

and

UAB DECENTRALIZED (operating the CoinGate platform), a private limited liability company, established and operating under the laws of Republic of Lithuania, company code: 303423510, address: A. Gostauto str. 8, LT-01108, Vilnius, Lithuania (“Data Processor”);

taking into account that:

The Data Processor provides crypto currency payment processing platform services to the Data Controller;

In the course of providing the above services to the Data Controller, the Data Processor has to process personal data on behalf of and for the interest of the Data Controller;

Article 28(3) of the European Union Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) („GDPR“) requires that processing by a processor shall be governed by a contract or other legal act under the EU or the EU Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller;

have agreed as follows:

1. GLOSSARY
The following terms in this Data processor agreement shall have the following meaning:

Applicable data protection laws – means any national or internationally binding data protection laws or regulations applicable at any time during the term of this Data processor agreement on, as the case may be, the Data Controller or the Data Processor, including GDPR

Data Controller – means an entity or a person that has accepted the Terms and Conditions for use of the CoinGate crypto currency payment processing platform and that determines the purposes and means of the processing of Personal Data;

Data Processor – means UAB Decentralized that processes Personal Data on behalf of the Data controller under this Data processor agreement;

Personal Data – means any information relating to an identified or identifiable natural person;

Sub-processor – means a third party subcontractor engaged by the Data Processor which, as part of the subcontractor’s role of delivering the services, will process Personal Data on behalf of the Data Controller.

2. DATA PROCESSING INSTRUCTIONS

2.1 The Data Processor shall process the personal data on documented instructions from the Data controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by EU or EU Member State law to which the processor is subject.

2.2 The Data Controller’s instructions to the Data Processor regarding the subject-matter and duration of the processing, the nature, and purpose of the processing, the type of Personal Data and categories of data subjects are as follows:

The subject-matter of data processingProvision of CoinGate crypto currency payment processing platform to the Data Controller
The nature and purpose of the processingTo process and exchange crypto currency payments on behalf of the Data Controller
Duration of the processingAs long as the Data Controller has an account with the Data Processor plus 10 (ten) years following the termination of the account
Types of personal dataIP address, e-mail, address of transaction receipt, transaction amount, transaction date and time, transaction currency, other data provided by the purchaser, requests for repayment or overpayments, blockchain addresses, transfer amount, transfer recipient, information provided by data subjects
Categories of data subjectsThe Data Controller’s clients: purchasers (natural persons)

2.3 The Data Processor shall, when processing Personal Data under this Data processor agreement, comply with any applicable data protection laws and applicable recommendations by the data protection authorities or other competent authorities.

2.4 The Data Controller entitles Data Processor to enter into agreements with Sub-processors on The Data Controller ́s behalf for the performance of its obligations under this DPA.

3. COOPERATION

3.1 The Data Processor shall assist the Data Controller in fulfilling its legal obligations under applicable data protection laws, including but not limited to the Data Controller’s obligation to respond to requests for exercising the data subject’s rights to request information (register extracts) and for Personal Data to be corrected, blocked or erased at their request.

3.2 If data subjects, competent authorities or any other third parties request information from Data Processor regarding the processing of Personal Data covered by this Data processor agreement, the Data Processor shall refer such request to the Data Controller.

3.3 In the terms agreed between the parties and to the reasonable extent, the Data Controller shall be entitled, in its capacity as the data controller, to take measures necessary to verify that the Data Processor is able to comply with its obligations under this Data processor agreement, and that Data Processor has in fact undertaken the measures to ensure such compliance pursuant.

3.4 In the terms agreed between the parties and to the reasonable extent, the Data Processor shall assist the Data Controller in data protection impact assessments, prior consultations and other communications with data protection authorities.

4. DATA SECURITY OBLIGATIONS

4.1 The Data Processor shall protect the Personal Data against destruction, modification, unlawful dissemination, or unlawful access. The Personal Data shall also be protected against all other forms of unlawful processing. Having regard to the state of the art and the costs of implementation and taking into account the nature, scope, context and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of individuals, the Data Processor shall implement adequate technical and organizational measures.

4.2 The Data Processor undertakes not to, without the Data Controller’s prior written consent disclose or otherwise make Personal Data processed under this Data processor agreement available to any third party, except for sub-processors engaged in accordance with this Data processor agreement.

4.3 The Data Processor shall take all necessary actions to assist and shall promptly notify the Data Controller in relation to any accidental or unauthorized access to Personal Data or any other security incidents (Personal Data breach) immediately if possible.

5. FINAL PROVISIONS

5.1 The provisions in this Data processor agreement shall apply during such time that Data Processor processes Personal Data in respect of which the Data Controller is the data controller.

5.2 Upon expiry of this Data processor agreement, the Data Processor shall, at the choice of the Data Controller as communicated to the Data Processor, delete or return all Personal Data to the Data Controller and shall ensure that any sub-processor does the same.

5.3 This Data processor agreement shall be an integral part of the Data Processors’ Terms of Service. Any matter not expressly governed by this Data processing agreement shall be governed by the Data Processors’ Terms of Service.